APT28 LNK SmartScreen bypass and CVE-2026-32202 coercion chain

Summary

Akamai reports that an APT28 / Fancy Bear campaign against Ukraine and European targets used weaponized Windows .lnk files that chained CVE-2026-21513 with CVE-2026-21510 to bypass SmartScreen and load attacker-controlled code from remote infrastructure.

Microsoft's February 2026 patch blocked the original remote-code-execution and SmartScreen-bypass behavior, but Akamai found the fix left a related zero-click authentication-coercion issue now tracked as CVE-2026-32202. That follow-on bug causes Windows to authenticate to an attacker-controlled server without user interaction, making it useful for NTLM capture/relay-style tradecraft even after the original code-execution path is closed.

Tags

• ops
• operations
• APT28
• Fancy Bear
• Forest Blizzard
• Ukraine
• Europe
• Windows
• LNK
• SmartScreen
• authentication-coercion
• zero-click

Why this matters

• The chain shows how a partial exploit-chain fix can leave a durable coercion primitive behind; defenders should not treat the February SmartScreen patch as the end of the exposure story.
• The delivery object is a Windows shortcut rather than a conventional executable, so email, archive, and file-share controls need to inspect .lnk internals and remote-path behavior.
• Authentication coercion can still produce useful attacker outcomes even without direct code execution, especially in environments where NTLM relay or credential capture paths remain viable.

Reported chain

1. CERT-UA attributed a December 2025 campaign against Ukraine and several European countries to APT28 / Fancy Bear.
2. The lure used a weaponized .lnk file.
3. CVE-2026-21513 and CVE-2026-21510 were used in the same shortcut exploit chain.
4. CVE-2026-21510 abused Windows shell namespace parsing to load a Control Panel / CPL path from an attacker-controlled UNC location, bypassing SmartScreen/network-zone expectations.
5. Microsoft patched the RCE and SmartScreen-bypass behavior in February 2026.
6. Akamai then disclosed that the patch was incomplete: CVE-2026-32202 remained as a zero-click authentication-coercion issue that could make the victim authenticate to an attacker-controlled server.

Defender heuristics

• Inventory endpoints for February 2026 and later Microsoft patches covering CVE-2026-21513, CVE-2026-21510, and CVE-2026-32202.
• Hunt mail, web-download, and file-share telemetry for .lnk files with shell namespace / Control Panel target structures and embedded UNC paths.
• Treat outbound SMB/WebDAV or other Windows authentication attempts triggered by opening or previewing shortcut files as suspicious, especially when the destination is internet-routable or newly observed.
• Reduce NTLM relay value where possible: disable unnecessary NTLM, enforce SMB signing, limit outbound SMB, and monitor coerced-authentication patterns from workstations.
• When reviewing vendor patches for exploited chains, test for residual primitives such as forced authentication, not only the headline RCE or SmartScreen bypass.

Attribution notes

Akamai cites CERT-UA attribution to APT28 / Fancy Bear for the original campaign. This page uses that attribution for the shortcut exploit chain while treating CVE-2026-32202 as a vulnerability discovered during patch-diffing of the chain, not necessarily as a separately observed in-the-wild APT28 exploitation path.

Related pages

• Ghostwriter

Sources

• Akamai: https://www.akamai.com/blog/security-research/incomplete-patch-apt28s-zero-day-cve-2026-32202
• Microsoft MSRC CVE-2026-21510: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21510
• Microsoft MSRC CVE-2026-21513: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21513
• Microsoft MSRC CVE-2026-32202: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202